Netsky is a worm notable for the fact that it has many variants and was very successful at spreading. It is also notable for its P variant staying at number 1 of many lists of prevalent viruses and worms for two years, with Netsky.D following close behind. Some of its variants deleted other worms, making it a helper or nematode. Its creator was also behind the Sasser worm.

#----------------- message was sent by automail agent ------------------#
Congratulations!
You were successful in the auction.
Auction ID :<3 sets of 4 random numbers>-A
Product ID :<3 sets of 4 random numbers>-P
A detailed description about the product and the bill
are attached to this mail.
Please contact the seller immediately.
Thank you!

The attachment could be one of the following:

prod_info_04155.bat

prod_info_04650.bat

prod_info_33462.cmd

prod_info_33967.cmd

prod_info_42313.pif

prod_info_42314.pif

prod_info_42818.pif

prod_info_49146.exe

prod_info_49541.exe

prod_info_54234.scr

prod_info_54235.scr

prod_info_54739.scr

prod_info_33325.txt.exe.zip

prod_info_33543.rtf.scr.zip

prod_info_34157.htm.exe.zip

prod_info_43631.doc.exe.zip

prod_info_43859.htm.scr.zip

prod_info_47532.doc.scr.zip

prod_info_54433.doc.exe.zip

prod_info_55761.rtf.exe.zip

prod_info_56474.txt.exe.zip

prod_info_56780.doc.exe.zip

prod_info_65642.rtf.scr.zip

prod_info_77256.txt.scr.zip

prod_info_87968.htm.scr.zip

When executed, the worm creates a mutex that keeps more than one copy of the worm from running named "AdmMoodownJKIS003". It copies itself to the Windows folder as Services.exe.

Netsky then adds the registry value "Service = (Windows folder)\services.exe -serv" to the Local Machine run key, which causes the worm to run when Windows starts. It also deletes the values Taskmon and Explorer from that registry key, as well as the Current user version of that key (These values are set there by the Mydoom worm). It also deletes another Mydoom-created key. It also deletes KasperskyAV and System from the local machine run key.

It then copies itself to the Windows or WINNT folder as one of the filenames used for the attachment in a .zip file (from prod_info_55761.rtf.exe.zip to prod_info_54433.doc.exe.zip).

Netsky searches drives C through Z for folders with names containing "share" or "sharing" and copies itself as one of the following names:

doom2.doc.pif

sex sex sex sex.doc.exe

rfc compilation.doc.exe

dictionary.doc.exe

win longhorn.doc.exe

e.book.doc.exe

programming basics.doc.exe

how to hack.doc.exe

max payne 2.crack.exe

e-book.archive.doc.exe

virii.scr

nero.7.exe

eminem - lick my pussy.mp3.pif

cool screensaver.scr

serial.txt.exe

office_crack.exe

hardcore porn.jpg.exe

angels.pif

porno.scr

matrix.scr

photoshop 9 crack.exe

strippoker.exe

dolly_buster.jpg.pif

winxp_crack.exe

The worm searches for email addresses in files with the following extensions:

.msg

.oft

.sht

.dbx

.tbb

.adb

.doc

.wab

.asp

.uin

.rtf

.vbs

.html

.htm

.pl

.php

.txt

.eml

The worm has its own SMTP engine to mass-mail itself.

Variants

The very successful Netsky.P variant has the ability to infect a computer from the preview pane, similar to Nimda and it deletes registry keys that Mydoom and its variants use to infect and deliver their payloads.

Effects

Netsky was the most popular worm for over 2 years. The original and most if not all of its variants have a beneficial, rather than destructive payload. A British security consultant company, mi2g claimed that the worm caused between $25.6 billion and $31.3 billion in damage (this company has been widely criticised for its ridiculously high estimates and scaremongering).

Other Facts

The fact that Netsky has been so successful at spreading is somewhat of a mystery to many anti-malware experts, because of its minimalist social engineering tactics.

Jaschan said that he was trying to develop a worm that would delete other worms, notably Mydoom and Beagle. As some variants of Netsky delete registry key values and other things that those worms use to perform their malicious activities, this is not an outrageous claim. Netsky started a "Worm War" between itself and Mydoom and Beagle. Netsky.J was to be the last version of Netsky, but other variants did follow.

Netsky and its variants were at the top of the virus/worm charts for two years. When it began spreading in Spring of 2004, it had tough competition from Beagle, with Mydoom close behind. It was finally beaten by Warezov, also known as Stration, in October of 2006.